CASE IN POINT | When can a Facebook user expect privacy?

Facebook connections are established through the process of “friending” another user. If the Facebook user posts a photo of himself or herself she/he must have to select a desired privacy setting. If she/he uses thee setting “Only me” the digital image can be viewed only by the user. If not, it will be viewed by the public, thus, there is no expectation of privacy.

In Rhonda Ave S. Vivares, et al. v. St. Theresa’s Colleges, et al., G.R. No. 202666, September 29, 2014, Velasco, J, it appears that some graduating students of the school took digital pictures of themselves clad only in their underwears while changing their swimsuits in a beach party they were about to attend.

The pictures were posted on their Facebook accounts.

Pictures were also later uploaded, showing them drinking liquor and smoking cigarettes inside a bar.
The computer teacher of the school was able to identify the students through some of the students.

After investigation, they were prevented from joining the commencement exercises.

A petition was filed to compel the school to allow them to join, but while it was granted, the school stood firm and did not allow them to join.

A Petition for Habeas Data was filed by their parents on the basis of the following considerations:

The photos were taken merely for posterity sake;
The privacy setting of their children’s Facebook accounts was set as “Friends Only;”
There was violation of their children’s privacy;
The photos belonged to the girls and thus, cannot be used or reproduced without their consent, hence the reproduction violated their rights by saving digital copies of the photos and by subsequently showing them to school officials, thus, intruding into their privacy;
The intrusion into the Facebook accounts and the copying of informations, data and digital images happened at the school’s computer laboratory;
All the data and digital images that were extracted were boldly broadcasted by respondents through their memorandum submitted to the court.

To petitioners, the interplay of the foregoing constitutes an invasion of their children’s privacy and, thus, prayed that: (a) a writ of habeas data be issued; (b) respondents be ordered to surrender and deposit with the court all soft and printed copies of the subject data before or at the preliminary hearing; and (c) after trial, judgment be rendered declaring all information, data, and digital images accessed, saved or stored, reproduced, spread and used, to have been illegally obtained in violation of the children’s right to privacy.

Finding the petition sufficient in form and substance, the court issued the writ of habeas data. Through the same Order, respondents were directed to file their verified written return, together with the supporting affidavits, within five (5) working days from service of the writ.
In time, respondents complied with the RTC’s directive and filed their verified written return, laying down the following grounds for the denial of the petition, viz: (a) petitioners are not the proper parties to file the petition; (b) the instant case is not one where a writ of habeas data may issue; and (c) there can be no violation of their right to privacy as there is no reasonable expectation of privacy on Facebook.

Subsequently, however, the RTC denied the petition.

The trial court ruled that, petitioners failed to prove the existence of an actual or threatened violation of the minors’ right to privacy, one of the preconditions for the issuance of the writ of habeas data and that the photos, having been uploaded on Facebook, without restrictions as to who may view them, lost their privacy in some way. Besides, the school gathered the photographs through legal means and for a legal purpose, that is, the implementation of the school’s policies and rules on discipline.

Hence, petitioners filed with the SC a petition pursuant to Section 19 of the Rule on Habeas Data.
The main issue to be threshed out in this case is whether or not a writ of habeas data should be issued given the factual milieu on the issue of whether there was indeed an actual or threatened violation of the right to privacy in the life, liberty, or security of the minors involved in this case.
The SC ruled in the negative and

Held: The writ of habeas data is a remedy available to any person whose right to privacy in life, liberty or security is violated or threatened by an unlawful act or omission of a public official or employee, or of a private individual or entity engaged in the gathering, collecting or storing of data or information regarding the person, family, home and correspondence of the aggrieved party. It is an independent and summary remedy designed to protect the image, privacy, honor, information, and freedom of information of an individual, and to provide a forum to enforce one’s right to the truth and to informational privacy. It seeks to protect a person’s right to control information regarding oneself, particularly in instances in which such information is being collected through unlawful means in order to achieve unlawful ends.

In developing the writ of habeas data, the court aimed to protect an individual’s right to informational privacy, among others. A comparative law scholar has, in fact, defined habeas data as “a procedure designed to safeguard individual freedom from abuse in the information age.”(See Andres Guadamuz, Habeas Data and the European Data Protection Directive, in THE JOURNAL OF INFORMATION, LAW AND TECHNOLOGY (JILT) (2001), cited in former Chief Justice Reynato S. Puno’s speech, The Common Right to Privacy (2008)).

The writ, however, will not issue on the basis merely of an alleged unauthorized access to information about a person.

Availment of the writ requires the existence of a nexus between the right to privacy on the one hand, and the right to life, liberty or security on the other. (Gamboa v. Chan). Thus, the existence of a person’s right to informational privacy and a showing, at least by substantial evidence, of an actual or threatened violation of the right to privacy in life, liberty or security of the victim are indispensable before the privilege of the writ may be extended. (See Roxas v. Macapagal-Arroyo, G.R. No. 189155, September 7, 2010, 630 SCRA 211).

Without an actionable entitlement in the first place to the right to informational privacy, a habeas data petition will not prosper.

The Right to Informational Privacy
There are three strands of the right to privacy, viz: (1) locational or situational privacy; (Refers to the privacy that is felt in physical space, such as that which may be violated by trespass and unwarranted search and seizure.) (2) informational privacy; and (3) decisional privacy. Of the three, what is relevant to the case at bar is the right to informational privacy––usually defined as the right of individuals to control information about themselves.

How Facebook connections are established.

Facebook connections are established through the process of “friending” another user. By sending a “friend request,” the user invites another to connect their accounts so that they can view any and all “Public” and “Friends Only” posts of the other. Once the request is accepted, the link is established and both users are permitted to view the other user’s “Public” or “Friends Only” posts, among others. “Friending,” therefore, allows the user to form or maintain one-to-one relationships with other users, whereby the user gives his or her “Facebook friend” access to his or her profile and shares certain information to the latter.

How to regulate visibility and accessibility of digital images on Facebook.
For instance, a Facebook user can regulate the visibility and accessibility of digital images (photos), posted on his or her personal bulletin or “wall,” except for the user’s profile picture and ID, by selecting his or her desired privacy setting:
Public - the default setting; every Facebook user can view the photo;
Friends of Friends - only the user’s Facebook friends and their friends can view the photo;
Friends - only the user’s Facebook friends can view the photo;
Custom - the photo is made visible only to particular friends and/or networks of the Facebook user; and
Only Me - the digital image can be viewed only by the user.

The foregoing are privacy tools, available to Facebook users, designed to set up barriers to broaden or limit the visibility of his or her specific profile content, statuses, and photos, among others, from another user’s point of view. In other words, Facebook extends its users an avenue to make the availability of their Facebook activities reflect their choice as to “when and to what extent to disclose facts about [themselves] – and to put others in the position of receiving such confidences.”( Westin, Alan, Privacy and Freedom, cited in Valerie Steeves’ work, Reclaiming the Social Value of Privacy) Ideally, the selected setting will be based on one’s desire to interact with others, coupled with the opposing need to withhold certain information as well as to regulate the spreading of his or her personal information. Needless to say, as the privacy setting becomes more limiting, fewer Facebook users can view that user’s particular post.When there can be an expectation of privacy?

It is through the availability of said privacy tools that many OSN users are said to have a subjective expectation that only those to whom they grant access to their profile will view the information they post or upload thereto.

This, however, does not mean that any Facebook user automatically has a protected expectation of privacy in all of his or her Facebook activities.

Before one can have an expectation of privacy in his or her OSN activity, it is first necessary that said user, manifests the intention to keep certain posts private, through the employment of measures to prevent access thereto or to limit its visibility. And this intention can materialize in cyberspace through the utilization of the OSN’s privacy tools. In other words, utilization of these privacy tools is the manifestation, in cyber world, of the user’s invocation of his or her right to informational privacy.
Therefore, a Facebook user who opts to make use of a privacy tool to grant or deny access to his or her post or profile detail should not be denied the informational privacy right which necessarily accompanies said choice. Otherwise, using these privacy tools would be a feckless exercise, such that if, for instance, a user uploads a photo or any personal information to his or her Facebook page and sets its privacy level at “Only Me” or a custom list so that only the user or a chosen few can view it, said photo would still be deemed public by the courts as if the user never chose to limit the photo’s visibility and accessibility. Such position, if adopted, will not only strip these privacy tools of their function but it would also disregard the very intention of the user to keep said photo or information within the confines of his or her private space.

Whether images were visible to Facebook users or confidential in nature.

Did the minors limit the disclosure of the photos such that the images were kept within their zones of privacy?

Petitioners, in support of their thesis about their children’s privacy right being violated, insist that Escudero intruded upon their children’s Facebook accounts, downloaded copies of the pictures and showed said photos to Tigol. To them, this was a breach of the minors’ privacy since their Facebook accounts, allegedly, were under “very private” or “Only Friends” setting safeguarded with a password. Ultimately, they posit that their children’s disclosure was only limited since their profiles were not open to public viewing. Therefore, according to them, people who are not their Facebook friends, including respondents, are barred from accessing said post without their knowledge and consent. It was contended that the photos were viewable by only five of them.

Escudero, on the other hand, stated in her affidavit that her students showed her some pictures of girls clad in brassieres. These students of mine informed her that these are senior high school students of STC, who are their friends in [F]acebook. x x x They then said [that] there are still many other photos posted on the Facebook accounts of these girls. At the computer lab, these students then logged into their Facebook account, and accessed from there the various photographs x x x. They even told her that there had been times when these photos were ‘public’ i.e., not confined to their friends in Facebook. The contention that there was intrusion into the privacy of their children is not correct.
Considering that the default setting for Facebook posts is “Public,” it can be surmised that the photographs in question were viewable to everyone on Facebook, absent any proof that petitioners’ children positively limited the disclosure of the photograph. If such were the case, they cannot invoke the protection attached to the right to informational privacy. The ensuing pronouncement in US v. Gines-Perez, 214 F. Supp. 2d at 225, is most instructive:

[A] person who places a photograph on the Internet precisely intends to forsake and renounce all privacy rights to such imagery, particularly under circumstances such as here, where the Defendant did not employ protective measures or devices that would have controlled access to the Web page or the photograph itself.

Also, United States v. Maxwell, 45 M.J. 406 [C.A.A.F.] 199], held that “[t]he more open the method of transmission is, the less privacy one can reasonably expect. Messages sent to the public at large in the chat room or e-mail that is forwarded from correspondent to correspondent loses any semblance of privacy.”

Effect if photos are viewable only by friends.

That the photos are viewable by “friends only” does not necessarily bolster the petitioners’ contention. The cyber community is agreed that the digital images under this setting still remain to be outside the confines of the zones of privacy.

Setting a post’s or profile detail’s privacy to “Friends” is no assurance that it can no longer be viewed by another user who is not Facebook friends with the source of the content. The user’s own Facebook friend can share said content or tag his or her own Facebook friend thereto, regardless of whether the user tagged by the latter is Facebook friends or not with the former. Also, when the post is shared or when a person is tagged, the respective Facebook friends of the person who shared the post or who was tagged can view the post, the privacy setting of which was set at “Friends.”

This, along with its other features and uses, is confirmation of Facebook’s proclivity towards user interaction and socialization rather than seclusion or privacy, as it encourages broadcasting of individual user posts. In fact, it has been said that OSNs have facilitated their users’ self-tribute, thereby resulting into the “democratization of fame.”

No intrusion into privacy by STC; why?

Even assuming that the photos in issue are visible only to the sanctioned students’ Facebook friends, respondent STC can hardly be taken to task for the perceived privacy invasion since it was the minors’ Facebook friends who showed the pictures to Tigol. Respondents were mere recipients of what were posted. They did not resort to any unlawful means of gathering the information as it was voluntarily given to them by persons who had legitimate access to the said posts. Clearly, the fault, if any, lies with the friends of the minors. Curiously enough, however, neither the minors nor their parents imputed any violation of privacy against the students who showed the images to Escudero.

Photos are not personal in nature.

There can be no quibbling that the images in question, or to be more precise, the photos of minor students scantily clad, are personal in nature, likely to affect, if indiscriminately circulated, the reputation of the minors enrolled in a conservative institution. There was no evidence to show that privacy settings to the photos were visible only to them or to a select few. Without proof that they placed the photographs subject of this case within the ambit of their protected zone of privacy, they cannot now insist that they have an expectation of privacy with respect to the photographs in question.

Had it been proved that the access to the pictures posted were limited to the original uploader, through the “Me Only” privacy setting, or that the user’s contact list has been screened to limit access to a select few, through the “Custom” setting, the result may have been different, for in such instances, the intention to limit access to the particular post, instead of being broadcasted to the public at large or all the user’s friends en masse, becomes more manifest and palpable.